Applies To:

Show Versions Show Versions

Manual Chapter: Configuring IPsec for Tunnel Mode and Dynamic Security Negotiation
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Implementation of the IPsec protocol suite

You can configure the IPsec and IKE protocols when you want to use a protocol other than SSL to secure traffic that traverses a wide area network (WAN), from one BIG-IP system to another. With this implementation, you configure the IKE protocol to establish a secure channel during Phase 1 negotiation. You also configure the IPsec protocol for Tunnel mode and dynamic security negotiation, using a custom IPsec policy.

Illustration of an IPsec tunnel deployment

Dynamic negotiation of security parameters

The way to dynamically negotiate security parameters is to configure the Internet Key Exchange (IKE) protocol, which is included in the IPsec protocol suite. When you configure the IKE protocol, two agents, or peers, open a secure channel using an ISAKMP security association (ISAKMP-SA) to initially negotiate the exchange of peer-to-peer authentication data. This exchange is known as Phase 1 negotiation.

Once Phase 1 is complete and the secure channel has been established, Phase 2 negotiation begins, in which the IKE peers dynamically negotiate the authentication and encryption algorithms to use to secure the payload. Without IKE, the system cannot dynamically negotiate these security algorithms.

About IPsec Tunnel mode

Tunnel mode causes the IPsec protocol to encrypt the entire packet (the payload plus the IP header). This encrypted packet is then included as the payload in another outer packet with a new header. Traffic sent in this mode is more secure than traffic sent in Transport mode, because the original IP header is encrypted along with the original payload.

Components of the IPsec protocol suite

The IPsec protocol suite on the BIG-IP system consists of these configuration components:

IKE peers
An IKE peer is a configuration object of the IPsec protocol suite that represents a BIG-IP system on each side of the IPsec tunnel. IKE peers allow two systems to authenticate each other (known as IKE Phase 1). An IKE peer is also known as an IKE agent. The BIG-IP system includes the well-known default IKE peer, named anonymous.
IPsec policies
An IPsec policy is a set of information that defines the specific IPsec protocol to use (Encapsulating Security Protocol, or ESP), as well as the mode (Transport, Tunnel, or iSession). For Tunnel mode, the policy also specifies the endpoints for the tunnel, and for IKE Phase 2 negotiation, the policy specifies the security parameters to be used in that negotiation. The way that you configure the IPsec policy determines the way that the BIG-IP system manipulates the IP headers in the packets. The BIG-IP system includes two default IPsec policies, named default-ipsec-policy and default-ipsec-policy-isession. A common configuration includes a bidirectional policy on each BIG-IP system.
Traffic selectors
A traffic selector is a packet filter that defines the source and destination IP addresses for the application traffic destined for the IPsec tunnel. A traffic selector references an existing IPsec policy. A common configuration includes a bidirectional traffic selector on each BIG-IP system.

Task summary

With this task, you can configure the IPsec and IKE protocols to secure traffic that traverses a wide area network (WAN), such as from one data center to another. This procedure configures IKE to establish a secure channel and configures IPsec in Tunnel mode.

To set up this configuration, you must verify a few prerequisite tasks, as well as create some configuration objects on the BIG-IP system.

Important: Perform these tasks on the BIG-IP system in both the local data center and the remote data center.

Prerequisites

Before you begin configuring IPsec and IKE, verify that these modules and BIG-IP system objects exist on the BIG-IP system in each data center:

BIG-IP Local Traffic Manager
This module directs traffic securely and efficiently to the appropriate destination on a network.
A standard virtual server on the BIG-IP system in each data center
This virtual server load balances application traffic. If the traffic is traversing an EtherIP or iSession tunnel, each virtual server must reference the corresponding profile type.
The default VLANs
These VLANs are named external and internal.

Task list

Creating an IKE peer

Use this procedure to create an IKE peer object on the BIG-IP system. The IKE peer object identifies the other BIG-IP system that the system you are configuring communicates with during Phase 1 negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase 1 negotiation. Creating an IKE peer is a required step in the process of establishing a secure channel between the two systems.

Important: Perform this task on each BIG-IP system.
  1. On the Main tab, click IPsec > IKE Peers.
  2. Click the Create button. The New IKE Peer page opens.
  3. In the Name field, type a unique name for the IKE peer.
  4. In the Description field, type a brief description of the IKE peer.
  5. In the Remote Address field, type the IP address of the BIG-IP system that is remote to the system you are configuring. This address much match the Tunnel Remote Address value in the relevant IPsec policy.
  6. For the State setting, retain the default value, Enabled.
  7. For the IKE Phase 1 Algorithms area, retain the default values.
  8. For the IKE Phase 1 Credentials area, select one of the following:
    Option Description
    The default values The default authentication method is RSA signature.
    Important: If you have your own certificate file, key file, and certificate authority (CA), it is recommended for security purposes that you specify these files, using the Certificate, Key, and Trusted Certificate Authorities settings.
    The authentication method Preshared Key. This allows you to type a preshared key for use as the authentication method.
  9. For the Common Settings area, retain all default values.
  10. Click Finished. The page refreshes and displays the new IKE peer in the list.
You now have IKE peers defined for establishing a secure channel.

Creating a bidirectional IPsec policy

Use this procedure to create a custom IPsec policy. You create a custom IPsec policy when you want to use a policy other than the default IPsec policy (default-ipsec-policy or default-ipsec-policy-isession ). A typical reason for creating a custom IPsec policy is to configure IPsec to operate in Tunnel rather than Transport mode.

Important: Perform this task on each BIG-IP system.
  1. On the Main tab, click Network > IPsec > IPsec Policies.
  2. Click the Create button. The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. In the Description field, type a brief description of the policy.
  5. From the Mode list, select Tunnel. The screen refreshes to show the Tunnel Local Address and Tunnel Remote Address settings.
  6. In the Tunnel Local Address field, type the local IP address of the system you are configuring. For example, based on the previous illustration, the tunnel local addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Tunnel Local Address
    BIG-IP A 2.2.2.2
    BIG-IP B 3.3.3.3
  7. In the Tunnel Remote Address field, type the IP address that is remote to the system you are configuring. For example, based on the previous illustration, the tunnel remote addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Tunnel Remote Address
    BIG-IP A 3.3.3.3
    BIG-IP B 2.2.2.2
  8. For the Authentication Algorithm setting, retain the default value, SHA-1.
  9. For the Encryption Algorithm setting, retain the default value, 3DES.
  10. For the Perfect Forward Secrecy setting, retain the default value, MODP1024.
  11. For the Lifetime setting, retain the default value, 1440. This is the length of time (in seconds) before the current security association expires.
  12. Click Finished. The screen refreshes and displays the new IPsec policy in the list.
You now have an IPsec policy for each IPsec traffic selector.

Creating a bidirectional IPsec traffic selector

Use this procedure to create an IPsec traffic selector that references a custom IPsec policy. The traffic selector you create filters traffic based on the IP addresses and port numbers that you specify, as well as the custom IPsec policy you assign.
  1. On the Main tab, click Network > IPsec > Traffic Selectors.
  2. Click Create. The New Traffic Selector screen opens.
  3. In the Name field, type a unique name for the traffic selector.
  4. In the Description field, type a brief description of the traffic selector.
  5. For the Order setting, retain the default value (First).
  6. For the Source IP Address setting, click Host or Network, and in the Address field, type an IP address. This IP address should be the host or network address from which the application traffic originates. For example, based on the previous illustration, the source IP addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Source IP Address
    BIG-IP A 1.1.1.0/24
    BIG-IP B 4.4.4.0/24
  7. From the Source Port list, select a source port, or retain the default value *All Ports.
  8. For the Destination IP Address setting, click Host, and in the Address field, type an IP address. This IP address should be the final host or network address to which the application traffic is destined. For example, based on the previous illustration, the destination IP addresses for BIG-IP A and BIG-IP B are as follows:
    System Name Destination IP Address
    BIG-IP A 4.4.4.0/24
    BIG-IP B 1.1.1.0/24
  9. From the Destination Port list, select a source port, or retain the default value * All Ports.
  10. From the Protocol list, select a protocol name. You can select * All Protocols, TCP, UDP, ICMP, or Other. If you select Other, you must type a protocol name.
  11. From the Direction list, select Both.
  12. From the Action list, select Protect. The IPsec Policy Name setting appears.
  13. From the IPsec Policy Name list, select the name of the inbound IPsec policy that you previously created.
  14. Click Finished. The page refreshes and displays the new IPsec traffic selector in the list.
You now have an IPsec traffic selector for each BIG-IP system.

Implementation results

To summarize, you now have the following IPsec configuration on this BIG-IP system, for both inbound and outbound traffic.

For Phase 1 negotiation, the BIG-IP system:
  • Uses either x509 certificates or preshared keys as the authentication method
  • Uses the authentication algorithm SHA-1
  • Use the encryption algorithm 3DES
  • Uses a Perfect Forward Secrecy value of MODP1024
For Phase 2 negotiation, the BIG-IP system:
  • Secures traffic in Tunnel mode, using the ESP protocol
  • Dynamically negotiates the IPsec security parameters, using an SA lifetime of 1440 seconds
  • Uses the authentication algorithm SHA-1
  • Use the encryption algorithm 3DES
  • Uses a Perfect Forward Secrecy value of MODP1024
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)